---
page_title: "cloudflare_access_application Resource - Cloudflare"
subcategory: ""
description: |-
  Provides a Cloudflare Access Application resource. Access
  Applications are used to restrict access to a whole application using an
  authorisation gateway managed by Cloudflare.
---

# cloudflare_access_application (Resource)

Provides a Cloudflare Access Application resource. Access
Applications are used to restrict access to a whole application using an
authorisation gateway managed by Cloudflare.

~> It's required that an `account_id` or `zone_id` is provided and in
   most cases using either is fine. However, if you're using a scoped
   access token, you must provide the argument that matches the token's
   scope. For example, an access token that is scoped to the "example.com"
   zone needs to use the `zone_id` argument.

## Example Usage

```terraform
resource "cloudflare_access_application" "staging_app" {
  zone_id                   = "0da42c8d2132a9ddaf714f9e7c920711"
  name                      = "staging application"
  domain                    = "staging.example.com"
  type                      = "self_hosted"
  session_duration          = "24h"
  auto_redirect_to_identity = false
}

# With CORS configuration
resource "cloudflare_access_application" "staging_app" {
  zone_id          = "0da42c8d2132a9ddaf714f9e7c920711"
  name             = "staging application"
  domain           = "staging.example.com"
  type             = "self_hosted"
  session_duration = "24h"
  cors_headers {
    allowed_methods   = ["GET", "POST", "OPTIONS"]
    allowed_origins   = ["https://example.com"]
    allow_credentials = true
    max_age           = 10
  }
}
```
<!-- schema generated by tfplugindocs -->
## Schema

### Optional

- `account_id` (String) The account identifier to target for the resource. Conflicts with `zone_id`.
- `allowed_idps` (Set of String) The identity providers selected for the application.
- `app_launcher_logo_url` (String) The logo URL of the app launcher.
- `app_launcher_visible` (Boolean) Option to show/hide applications in App Launcher. Defaults to `true`.
- `auto_redirect_to_identity` (Boolean) Option to skip identity provider selection if only one is configured in `allowed_idps`. Defaults to `false`.
- `bg_color` (String) The background color of the app launcher.
- `cors_headers` (Block List) CORS configuration for the Access Application. See below for reference structure. (see [below for nested schema](#nestedblock--cors_headers))
- `custom_deny_message` (String) Option that returns a custom error message when a user is denied access to the application.
- `custom_deny_url` (String) Option that redirects to a custom URL when a user is denied access to the application via identity based rules.
- `custom_non_identity_deny_url` (String) Option that redirects to a custom URL when a user is denied access to the application via non identity rules.
- `custom_pages` (Set of String) The custom pages selected for the application.
- `domain` (String) The primary hostname and path that Access will secure. If the app is visible in the App Launcher dashboard, this is the domain that will be displayed.
- `enable_binding_cookie` (Boolean) Option to provide increased security against compromised authorization tokens and CSRF attacks by requiring an additional "binding" cookie on requests. Defaults to `false`.
- `footer_links` (Block Set) The footer links of the app launcher. (see [below for nested schema](#nestedblock--footer_links))
- `header_bg_color` (String) The background color of the header bar in the app launcher.
- `http_only_cookie_attribute` (Boolean) Option to add the `HttpOnly` cookie flag to access tokens.
- `landing_page_design` (Block List, Max: 1) The landing page design of the app launcher. (see [below for nested schema](#nestedblock--landing_page_design))
- `logo_url` (String) Image URL for the logo shown in the app launcher dashboard.
- `name` (String) Friendly name of the Access Application.
- `saas_app` (Block List, Max: 1) SaaS configuration for the Access Application. (see [below for nested schema](#nestedblock--saas_app))
- `same_site_cookie_attribute` (String) Defines the same-site cookie setting for access tokens. Available values: `none`, `lax`, `strict`.
- `self_hosted_domains` (Set of String) List of domains that access will secure. Only present for self_hosted, vnc, and ssh applications. Always includes the value set as `domain`.
- `service_auth_401_redirect` (Boolean) Option to return a 401 status code in service authentication rules on failed requests. Defaults to `false`.
- `session_duration` (String) How often a user will be forced to re-authorise. Must be in the format `48h` or `2h45m`. Defaults to `24h`.
- `skip_interstitial` (Boolean) Option to skip the authorization interstitial when using the CLI. Defaults to `false`.
- `tags` (Set of String) The itags associated with the application.
- `type` (String) The application type. Available values: `app_launcher`, `bookmark`, `biso`, `dash_sso`, `saas`, `self_hosted`, `ssh`, `vnc`, `warp`. Defaults to `self_hosted`.
- `zone_id` (String) The zone identifier to target for the resource. Conflicts with `account_id`.

### Read-Only

- `aud` (String) Application Audience (AUD) Tag of the application.
- `id` (String) The ID of this resource.

<a id="nestedblock--cors_headers"></a>
### Nested Schema for `cors_headers`

Optional:

- `allow_all_headers` (Boolean) Value to determine whether all HTTP headers are exposed.
- `allow_all_methods` (Boolean) Value to determine whether all methods are exposed.
- `allow_all_origins` (Boolean) Value to determine whether all origins are permitted to make CORS requests.
- `allow_credentials` (Boolean) Value to determine if credentials (cookies, authorization headers, or TLS client certificates) are included with requests.
- `allowed_headers` (Set of String) List of HTTP headers to expose via CORS.
- `allowed_methods` (Set of String) List of methods to expose via CORS.
- `allowed_origins` (Set of String) List of origins permitted to make CORS requests.
- `max_age` (Number) The maximum time a preflight request will be cached.


<a id="nestedblock--footer_links"></a>
### Nested Schema for `footer_links`

Optional:

- `name` (String) The name of the footer link.
- `url` (String) The URL of the footer link.


<a id="nestedblock--landing_page_design"></a>
### Nested Schema for `landing_page_design`

Optional:

- `button_color` (String) The button color of the landing page.
- `button_text_color` (String) The button text color of the landing page.
- `image_url` (String) The URL of the image to be displayed in the landing page.
- `message` (String) The message of the landing page.
- `title` (String) The title of the landing page.


<a id="nestedblock--saas_app"></a>
### Nested Schema for `saas_app`

Required:

- `consumer_service_url` (String) The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `sp_entity_id` (String) A globally unique name for an identity or service provider.

Optional:

- `custom_attribute` (Block List) Custom attribute mapped from IDPs. (see [below for nested schema](#nestedblock--saas_app--custom_attribute))
- `default_relay_state` (String) The relay state used if not provided by the identity provider.
- `name_id_format` (String) The format of the name identifier sent to the SaaS application. Defaults to `email`.

Read-Only:

- `idp_entity_id` (String) The unique identifier for the SaaS application.
- `public_key` (String) The public certificate that will be used to verify identities.
- `sso_endpoint` (String) The endpoint where the SaaS application will send login requests.

<a id="nestedblock--saas_app--custom_attribute"></a>
### Nested Schema for `saas_app.custom_attribute`

Required:

- `source` (Block List, Min: 1, Max: 1) (see [below for nested schema](#nestedblock--saas_app--custom_attribute--source))

Optional:

- `friendly_name` (String) A friendly name for the attribute as provided to the SaaS app.
- `name` (String) The name of the attribute as provided to the SaaS app.
- `name_format` (String) A globally unique name for an identity or service provider.
- `required` (Boolean) True if the attribute must be always present.

<a id="nestedblock--saas_app--custom_attribute--source"></a>
### Nested Schema for `saas_app.custom_attribute.source`

Required:

- `name` (String) The name of the attribute as provided by the IDP.

## Import

Import is supported using the following syntax:

```shell
$ terraform import cloudflare_access_application.example <account_id>/<application_id>
```
